This is an automated email from the ASF dual-hosted git repository. rmannibucau pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/johnzon.git
The following commit(s) were added to refs/heads/master by this push: new 5eb2c7ff [doc] a word on BigDecimal/BigInteger 5eb2c7ff is described below commit 5eb2c7ff643700a8ba77dbe9c29d6500f54031ef Author: Romain Manni-Bucau <rmannibu...@gmail.com> AuthorDate: Tue Jul 25 12:19:55 2023 +0200 [doc] a word on BigDecimal/BigInteger --- src/site/markdown/security.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/src/site/markdown/security.md b/src/site/markdown/security.md index f072a33b..0b554bb0 100644 --- a/src/site/markdown/security.md +++ b/src/site/markdown/security.md @@ -37,3 +37,13 @@ If you need to report a bug that isn't an undisclosed security vulnerability, pl should be addressed to the [mailing list](http://johnzon.apache.org/mail-lists.html). The private security mailing address is: security (at) apache (dot) org + +## BigInteger and Java + +JSON-P/JSON-B exposes API using `BigDecimal` and `BigInteger`. +The bridge between these two types is `BigDecimal#toBigInteger` which has a slow implementation in Java without careness or scale max validation. + +Johnzon does some sanity checks on this value but at some point we recommend you to stay away from these API and handle big numbers using `String` type and parse them yourself since you are the only ones knowing the correct functional and relevant validation of the scale before a instantiation. + +If you know you don't need such big types, prefer using plain primitives (or wrappers). +